"When the application executes, it shows a WebView component that displays an HTML/JavaScript web page that pretends to be a Token Generator," Castillo writes. "The web page also appears to be from the targeted bank (same variant of the malware but with different payload)."